94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a

Analysis

max time kernel
118s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Size

7.3MB
MD5

eaa9e76db93e9fb08f82f7efb39dabcd
SHA1

48b0965b735e3600deb6652b26873e01ec681408
SHA256

94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a
SHA512

b5ea15f76a340c0e1bc59861f77b1d47b7f6ac49ac7dcb271cf85573a45b7fe3661e8df74438a52bf0ba9a5a8c8759d654e65a03232e5936e6125f1a3bcda225
SSDEEP

98304:/yDQkeSLhuba4o3r0fCjA5DT08GHXngvuHEkvPj/zODZVWsikrdrn+oulLguUra0:mQTSLXg6r8G3n4uHNeVThrdrn+F+1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2284	数据处理器4.7.exe
2060	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
1996	MsiExec.exe
1596	MsiExec.exe
1596	MsiExec.exe
1596	MsiExec.exe
1596	MsiExec.exe
1596	MsiExec.exe
1404	MsiExec.exe
3032	msiexec.exe
2060	svchost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\W:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\N:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\U:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\Q:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\O:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\R:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\K:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\I:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\MonKeyDu\zj\libcef.dll	msiexec.exe
File created	C:\Program Files\MonKeyDu\zj\svchost.exe	msiexec.exe
File created	C:\Program Files\MonKeyDu\zj\数据处理器4.7.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI4146.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43F8.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI405A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41E3.tmp	msiexec.exe
File created	C:\Windows\Installer\f763ff0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763ff0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f763fed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4551.tmp	msiexec.exe
File created	C:\Windows\Installer\f763ff2.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f763fed.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	数据处理器4.7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmic.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local"	数据处理器4.7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34585BE57E07F3B4899EEBFCC4E10679\2F8787D86DA28914C98A33E3B62245E5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F8787D86DA28914C98A33E3B62245E5\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\MonKeyDu\\zj 1.0.0\\install\\B22545E\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34585BE57E07F3B4899EEBFCC4E10679	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\PackageName = "zj.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\MonKeyDu\\zj 1.0.0\\install\\B22545E\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F8787D86DA28914C98A33E3B62245E5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\ProductName = "zj"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\PackageCode = "51EA08321159446489C11EACABB63F8D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F8787D86DA28914C98A33E3B62245E5\Version = "16777216"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3032	msiexec.exe
3032	msiexec.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeCreateTokenPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeAssignPrimaryTokenPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeLockMemoryPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeIncreaseQuotaPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeMachineAccountPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeTcbPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSecurityPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeTakeOwnershipPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeLoadDriverPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSystemProfilePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSystemtimePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeProfSingleProcessPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeIncBasePriorityPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreatePagefilePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreatePermanentPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeBackupPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeRestorePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeShutdownPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeDebugPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeAuditPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSystemEnvironmentPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeChangeNotifyPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeRemoteShutdownPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeUndockPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSyncAgentPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeEnableDelegationPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeManageVolumePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeImpersonatePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreateGlobalPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreateTokenPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeAssignPrimaryTokenPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeLockMemoryPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeIncreaseQuotaPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeMachineAccountPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeTcbPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSecurityPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeTakeOwnershipPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeLoadDriverPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSystemProfilePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSystemtimePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeProfSingleProcessPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeIncBasePriorityPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreatePagefilePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreatePermanentPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeBackupPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeRestorePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeShutdownPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeDebugPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeAuditPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSystemEnvironmentPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeChangeNotifyPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeRemoteShutdownPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeUndockPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeSyncAgentPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeEnableDelegationPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeManageVolumePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeImpersonatePrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreateGlobalPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeCreateTokenPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeAssignPrimaryTokenPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
Token: SeLockMemoryPrivilege	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
2888	msiexec.exe
2888	msiexec.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 3032 wrote to memory of 1996	3032	msiexec.exe	29
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 2220 wrote to memory of 2888	2220	94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe	30
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1596	3032	msiexec.exe	34
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 1404	3032	msiexec.exe	35
PID 3032 wrote to memory of 2284	3032	msiexec.exe	36
PID 3032 wrote to memory of 2284	3032	msiexec.exe	36
PID 3032 wrote to memory of 2284	3032	msiexec.exe	36
PID 3032 wrote to memory of 2060	3032	msiexec.exe	37
PID 3032 wrote to memory of 2060	3032	msiexec.exe	37
PID 3032 wrote to memory of 2060	3032	msiexec.exe	37
PID 3032 wrote to memory of 2060	3032	msiexec.exe	37
PID 2060 wrote to memory of 956	2060	svchost.exe	38
PID 2060 wrote to memory of 956	2060	svchost.exe	38
PID 2060 wrote to memory of 956	2060	svchost.exe	38
PID 2060 wrote to memory of 956	2060	svchost.exe	38
PID 2060 wrote to memory of 556	2060	svchost.exe	41
PID 2060 wrote to memory of 556	2060	svchost.exe	41
PID 2060 wrote to memory of 556	2060	svchost.exe	41
PID 2060 wrote to memory of 556	2060	svchost.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe
"C:\Users\Admin\AppData\Local\Temp\94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\MonKeyDu\zj 1.0.0\install\B22545E\zj.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\94bc438fe73af777b3339972a5e4e5d93cba3e937a134a27e7ff4fb41d7eb62a.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1715897903 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C152001C5999E16E5EFCA54ED942A1B6 C
  2⤵
  - Loads dropped DLL
  PID:1996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7B4EB05D5FD925D0F1A45771A756810E
  2⤵
  - Loads dropped DLL
  PID:1596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0006033EBA382981398EBB2EB6C75E74 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1404
- C:\Program Files\MonKeyDu\zj\数据处理器4.7.exe
  "C:\Program Files\MonKeyDu\zj\数据处理器4.7.exe" start
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2284
- C:\Program Files\MonKeyDu\zj\svchost.exe
  "C:\Program Files\MonKeyDu\zj\svchost.exe" start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic cpu get processorid
    3⤵
    - Modifies data under HKEY_USERS
    PID:956
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic diskdrive get serialnumber
    3⤵
    - Modifies data under HKEY_USERS
    PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2624

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "00000000000003B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f763ff1.rbs

Filesize
215KB

MD5
272bcdf55b9c0fcda043af9980641831

SHA1
b851dc64b26eb1995391081711ad8324f53724d5

SHA256
32c7999f7db13dbb6ddfbed4fb67f24763afab49cf0558ea56a0b3a464d5800d

SHA512
8838d3ff9057880ab67479a45fbca3db2a95c730153bb065f6caf7cc99788f791a60fe6dd742932553d1f2a05424091969fcc3890fb4200cac68644b5ddf7947

Download Submit
C:\Users\Admin\AppData\Roaming\MonKeyDu\zj 1.0.0\install\B22545E\libcef.dll

Filesize
5.6MB

MD5
a02f756c1f46697a79855e1b307f07c6

SHA1
d9bc053fe67f638dbfaed19323f8de4ca76e8013

SHA256
d53875560cdd7144439812a4f948a9992ffc8d34c1d9545b0e27f55c47e20c8e

SHA512
483355954218a486ca79cd72d2b4db437f1710ccc2670233bff8c2a4b4457db715ef83a826c79a70928266169b2054bb53be649643fd6115af7b564e59ce2958

Download Submit
C:\Users\Admin\AppData\Roaming\MonKeyDu\zj 1.0.0\install\B22545E\svchost.exe

Filesize
2.0MB

MD5
9037a40fb3c7b5948345acb3a9401c53

SHA1
2957d67dc98c7058e9e556f0690f86b22b1dbd5b

SHA256
97b33e2b233b779dad59cecb75f8da31f7a197c278118452dffa94bb6e178aa3

SHA512
b129e98fc7bc22186562d9b18f9236f1cc44ad8df657135029f4e1c577eb016d982ae7dce18eb06a3d207cf07a85f9c4986b765b6e918dad902c69ba3424f6cf

Download Submit
C:\Users\Admin\AppData\Roaming\MonKeyDu\zj 1.0.0\install\B22545E\zj.msi

Filesize
2.0MB

MD5
c6a0667438a9173ff5042a2247b5565a

SHA1
2a4df3785344f4e8f651f8344bcfb98be47eb64d

SHA256
3acbf3783ad80d157c852e7156c64539d805806ff3d4f0867d3858a0dfb5b32b

SHA512
acb3929f261b33e70f6d381832953ceef7ffd2b96c80143265b5cf814dc1001859c9c11b609216d50d28923282daab2a06aa077f3bfc295bc6ccdc97c061b23b

Download Submit
C:\Users\Admin\AppData\Roaming\MonKeyDu\zj 1.0.0\install\B22545E\数据处理器4.7.exe

Filesize
356KB

MD5
426bf2fd41c332bfae147c629409527b

SHA1
8481f6e0e4ac2dbab1cb4022f3b151de3a23b619

SHA256
06a85f5f5fe77b9564e9cc4d795dfc926236788f0f63b2b25d7841190c822f9e

SHA512
e42994581f833a98e385d90737952163c9777ef4d88eb25c2a6a80689193cbd244c3b27b28b48212c7d084c58a62e9c558c0e1b22b79a1b8d6ea2aa09fddf10f

Download Submit
C:\Windows\Installer\MSI41E3.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSI43F8.tmp

Filesize
206KB

MD5
385488c351d17ecfa075a763eb5fecee

SHA1
88cadb754000d467a5a6cdba1b77a8b2b38f905e

SHA256
b3c88eddf3c6f36b0063fe0c4db62950643846c5c616dc2f255aa3a411cbbcff

SHA512
64e4341316fa0d10be92720b92adb34e1ef3ca4d39797d97f84d97bca429dd3d46bd6d3849d92652a87cd938cef96166d0cb3f5a79be8fe3899dcb7a8db3a1e3

Download Submit
\Users\Admin\AppData\Local\Temp\MSI20BA.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
memory/2060-95-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-94-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-78-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-82-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-97-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-98-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-84-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-93-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-92-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-90-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-89-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-88-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-86-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-85-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-83-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-96-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-81-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-91-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2060-87-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/2220-0-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2284-77-0x000000013F250000-0x000000013F2AC000-memory.dmp

Filesize
368KB

Download